---
# -----------------------------------------------------------------------------
# Certificate Distribution Playbook
# -----------------------------------------------------------------------------
# Pulls certificates from OCI Vault (uploaded by bootes certbot) and
# deploys them directly to target hosts for HAProxy/service TLS termination.
#
# Each target host defines its certificates in host_vars:
#   certbot_distributed_certs:
#     - cert_name: corvus.helu.ca
#       cert_path: /etc/haproxy/certs/corvus.helu.ca.pem
#
# Run from fornax:
#   ansible-playbook certbot/cert-distribute.yml
#
# Deployed as a weekly cron job on fornax.
# Can also be run manually after ad-hoc certificate renewals.
# -----------------------------------------------------------------------------

- name: Distribute certificates from OCI Vault to target hosts
  hosts: ubuntu:debian
  gather_facts: false

  handlers:
    - name: reload haproxy
      become: true
      ansible.builtin.systemd:
        name: haproxy
        state: reloaded
      when: "'haproxy' in services | default([])"

  tasks:
    - name: Skip hosts without distributed certificates
      ansible.builtin.meta: end_host
      when: certbot_distributed_certs is not defined

    - name: Ensure cert directory exists
      become: true
      ansible.builtin.file:
        path: "{{ certbot_distributed_certs[0].cert_path | dirname }}"
        state: directory
        owner: root
        group: root
        mode: '0755'

    - name: Deploy certificate from OCI Vault
      become: true
      ansible.builtin.copy:
        content: |
          {{ lookup('oci_secret', item.cert_name | replace('.', '-') + '-fullchain', vault_id=oci_vault_id) }}
          {{ lookup('oci_secret', item.cert_name | replace('.', '-') + '-privkey', vault_id=oci_vault_id) }}
        dest: "{{ item.cert_path }}"
        owner: root
        group: root
        mode: '0640'
      loop: "{{ certbot_distributed_certs }}"
      loop_control:
        label: "{{ item.cert_name }}"
      no_log: true
      notify: reload haproxy

    - name: Verify deployed certificates are valid PEM
      become: true
      ansible.builtin.command:
        cmd: openssl x509 -noout -checkend 0 -in {{ item.cert_path }}
      register: _cert_check
      loop: "{{ certbot_distributed_certs }}"
      loop_control:
        label: "{{ item.cert_name }}"
      changed_when: false

    - name: Show certificate expiry dates
      become: true
      ansible.builtin.command:
        cmd: openssl x509 -noout -subject -enddate -in {{ item.cert_path }}
      register: _cert_info
      loop: "{{ certbot_distributed_certs }}"
      loop_control:
        label: "{{ item.cert_name }}"
      changed_when: false

    - name: Log certificate status
      ansible.builtin.debug:
        msg: "{{ item.item.cert_name }}: {{ item.stdout }}"
      loop: "{{ _cert_info.results }}"
      loop_control:
        label: "{{ item.item.cert_name }}"